This project has moved. For the latest updates, please go here.

How do you arrange authentication with your VM Factory?

Dec 18, 2011 at 3:54 AM

 I am logged onto my Hyper-V host using a domain administrator account. I created a VM called VMFACTORY.  I followed your recommendation and put my VMFACTORY machine in a workgroup VSTRANGERS.

I updated my Deployment Share, generating an ISO image in the process.

I then created a new VM, and tried to attach the ISO so I could boot to this and deploy the resulting software.  But, when I try to attach the boot image (VSTSR-MDT-NLL-LiteTouchPE_x64.iso) that is inside of machine VMFACTORY, it does not have a valid user name and password.  This is I would expect. When I try to browse the share by hand, I am challenged for a user name and password.  I enter the local machine account and it stores it in my windows credentials vault. However, Hyper-V still complains about an unknown user name and password.

How do you deal with this? Do you join your vmfactory to your domain where your hyper-v host is? If not, how do you grant Hyper-V permission to access the share? I tried copying the ISO outside of the share, but that does not help much because the boot process MDT uses just tries to go back to the share to get the resources it needs. Unlike a regular ISO of an OS, this ISO is only 200MB and obviously it expects to get what it needs from the share at deployment time.

 

Dec 18, 2011 at 5:09 AM

Ok, I figured out the second  part of my problem. I am new to MDT and I did not realize that I had to edit the Bootstrap.ini file of the deployment share to specify the username, password, and domain it would use to contact the share.  Once I did that, the deployment was able to bring up the choice of task sequences, and I could run them.

But I still had to first place the ISO in a location local to the Hyper-V host so I could mount the ISO on the VM without it complaining about invalid credentials.  If you know of a way to mount the ISO on a hyper-v vm while pointing directly to \\VSTSR-MDT-NLL\DeploymentShare$\Boot\VSTSR-MDT-NLL-LiteTouchPE_x64.iso instead of copying it to my host, let me know.

Thank you for starting this project, by the way. It is a bit of work for a developer like me to master all this infrastructure stuff. But I can see the benefit to it once one gets it working. I seem to play with software a lot, so I figure there will be ROI for me even this month alone.

 

Developer
Dec 18, 2011 at 10:34 PM

Good to hear that you're unblocked. :-)

Basically, it's just windows authentication, but both the fact that the VM Factory is non-domain-joined and Hyper-V's way of authenticating for ISO access from a VM make it a bit more complicated. The ISO only changes if you change something in your bootstrap.ini. In my experience, that's hardly ever, so I just copy it to the Hyper-V machine (or the SCVMM library) and be done with it.

We have a special reason not to join the VM factory machine to the domain. On the Microsoft coporate network, IPSEC policies prevent windows file sharing between non-domain joined clients (i.e. the VM that we're building) and domain-joined servers (a VM Factory). That's why we don't join them to the domain. If your domain doesn't have these strict IPSEC policies, you can also join your VM Factory to your domain. In that case, it will be a tiny bit easier to authenticate Hyper-V VM's for the boot ISO's although I think its still a hassle. :-)

Dec 18, 2011 at 11:01 PM

Thanks for the explanation. Given that context, I will feel free to join the factory to my domain if it suits me. After all, it is my home domain, the one place where I get to decide what the rules are!